LDAP, Loads of People, and Account Management

Slides:

Advertisements

Similar presentations

Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.

Advertisements

LDAP Lightweight Directory Access Protocol LDAP.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

 Introduction Originally developed by Open Software Foundation (OSF), which is now called The Open Group ( Provides a set of tools and.

Active Directory: Final Solution to Enterprise System Integration

Chapter 4 Chapter 4: Planning the Active Directory and Security.

Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory.

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group

Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.

BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Introduction To OpenLDAP Directory Services. What is a Directory Service? A specialized database optimized for reading, browsing, and searching. No complicated.

The Directory A distributed database Distributed maintenance.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Information Technologies Jeremy Mortis 1 hi LDAP The Online Directory.

Current State Of NetID By Jonathan Higgins Presentation Template available from Microsoft A low cost Identity Management Implementation Guide.

1 st LDAP Conference 2007, Köln Germany 6-7 September 2007 Moving LDAP Writes to Web Services Kostas Kalevras National Technical University of Athens,

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Introduction to Lightweight Directory Access Protocol Introduction Danny Conte Conte Consultants Inc. Jan 31 st 2002.

Sonoma State White Pages Implementation Barry Blackburn Andru Luvisi Brian Biggs.

LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22.

Identity Management Technical Training LDAP and Directory Services Joachim Andres Guillaume Andru Renaud Métrich Sun Microsystems, Inc.

1 COP 4343 Unix System Administration Unit 13: LDAP.

The HEP White Pages Project Ray Jackson CERN / IT - Internet Services Group 23rd April HEPiX/HEPNT Conference, LAL-Orsay, France.

LDAP (Lightweight Directory Access Protocol)

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

Introduction to Active Directory

1 Internet2 Virtual Briefing Multi-Campus Middleware Issues University of Colorado.

1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.

May 12, 1999Common Solutions Group, DS Workshop1 Directory Design & Operations at Princeton University Michael R. Gettes Collaboration Services Group (CSG)

Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:

Finding Information in an LDAP Directory Info. Tech. Svcs. University of Hawaii Russell Tokuyama 05/02/01 University of Hawaii © 2001.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.

LDAP Overview Kevin Moseley Server Team Manager Walgreen Co.

Migrating to LDAP What is LDAP? Fedora Directory Server LdapImport

Internet and Distributed Application Services

Overview of Active Directory Domain Services

CollegeSource Security Application &

File System Implementation

Introduction to LDAP Frank A. Kuse.

Overview of Active Directory Domain Services

Active Directory Fundamentals

Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.

SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH

Implementation and configuration of LDAP

CEG 2400 Fall 2012 Directory Services - LDAP

LDAP – Light Weight Directory Access Protocol

Introduction to Name and Directory Services

Lightweight Directory Access Protocol (LDAP)

ACTIVE DIRECTORY An Overview.. By Karan Oberoi.

APACHE WEB SERVER.

Presentation transcript:

LDAP, Loads of People, and Account Management Middleware @UMBC LDAP, Loads of People, and Account Management

Middleware @UMBC Motivations Introduction to LDAP Managing People Our First Application: Account Management

What is a Directory Service? Data Hardware and Software Policies and Procedures

Why build a Directory Service? Consolidation of existing directories Reduce replication of: Policies Data Means: LESS WORK!

Internet 2 Middleware Project http://www.internet2.edu/middleware UMBC is one of 11 participating institutions Goal: Enable inter- & intra-institutional collaboration How: Agreed upon data representation and policies

UMBC’s Environment Tightly centralized environment One department (OIT) manages most data sources Human Resources SIS “Technical” Data Access problems are simple to solve

Pre LDAP Environment PH/CSO Nameserver Authorization (Unix): NIS Account Database @umbc.edu Mail Redirection Authorization (Unix): NIS Authentication (Unix, NT): Kerberos Account Management: AGUS

PH/CSO Nameserver Designed by UIUC, early to mid ’90’s. Indexed for speedy lookups Flat organization “Static” Schema “Synchronized” with HR & SIS systems via text file dumps + perl scripts

Kerberos Developed at MIT Cross-platform network authentication, including mutual client-server authentication http://www.mit.edu/afs/athena.mit.edu/astaff/project/kerberos/www

AGUS Account Generationg <something something> Developed at UMBC in 1992, overhauled in 1994-95 http://www.umbc.edu/people/paulr/lisa95.pdf

Brief Introduction to LDAP Definition Features Example Entries

LDAP - Definition Lightweight Directory Access Protocol Originally designed as a front-end to X.500 Not reliant on the bulky OSI protocol stack

LDAP - Features Structure Flexible Schema Security (authentication) Security (access) Replication / Distribution of Services

LDAP - Structure Formed by the interpretation of the “Distinguished Names” of elements Uid=banz,ou=accounts,o=umbc.edu O=umbc.edu Ou=accounts Ou=people Uid=banz

LDAP - Structure Distinguished Names are unique Attribute Types that make it up are not restricted Typical Attributes: Ou: Organizational Unit O: Organization

LDAP – Schema (objects) Entry is a member of one or more object classes An Object Class defines which attributes are required or optional

LDAP – Schema (attributes) An attribute has an identifier (name), and associated meaning. The meaning of the attribute is typically described in the objectClass definition that first used the attribute. While attributes can be used in other objectClasses, it’s “meaning” should remain the same.

LDAP – Schema (attributes cont) An attribute is typically one of CIS ( Case Ignore String) CES ( Case Sensitive String ) BIN ( Binary ) DN (A Distinguished Name) INT (An Integer) …Other attribute syntaxes exist, these are just the most typical Attributes can be Single Valued or Multi-Valued

Example Object - Person The following is a very simple objectclass, “person” Objectclass person oid 2.5.6.6 superior top requires sn, (sirname) cn (common name) allows description, seeAlso telephoneNumber, userPassword

Example Object - organizationalPerson The following is a very simple objectclass, “person” Objectclass person oid 2.5.6.7 superior person allows detinationIndicator, fascimilieTelephoneNumber, internationalSDNNumber, l, ou, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, registeredAddress, st, street, … Note, that since org…Person includes person...

LDAP – Security (authentication) “Bind” (connect) to the service Anonymously, or A DN Usually with a simple password, however other methods are supported Kerberos SSL … extensible

LDAP - Replication Multiple Servers == Redundancy Can replication parts, or all, of the directory Implementation Specific

A “Person” Here’s a “typical” Person entry, of class umbcPerson (superior inetOrgPerson) Affiliation: staff Billingaddress: 8107 Callo Ln\nBaltimore, MD 21237 CampusPostalAddress: 8107 Callo Ln\nBaltimore, MD 21237 Cn: Robert Banz Cn: Banz, robert A. Createtimestamp: 20000810004455Z Creatorsname: uid=admin,ou=Administrators,ou=TopologyManagment,o=NetscapeRoot Dateofbirth: 08-Aug-72 Departmentnumber: 360080 Givenname: robert Guid= 6cbfa31e-6e14-11d4-9669-8020cd7816 Homephone: 4106543175 Mailacceptinggeneralid: robert_banz Mailacceptinggeneralid: robert.banz Maildrop: banz@umbc.edu Modifiersname: uid=admin,ou=Administrators,ou=TopologyManagment,o=NetscapeRoot Modifytimestamp: 20000901162434Z

…more person Objectclass: top Objectclass: person Objectclass: organizationalPerson objectClass: inetOrgPerson objectClass: umbcPerson postalAddress: 1 Wellhaven Cir\nApt 1225\nOwings Mills, MD 21117 Roomnumber: ECS Sn: banz Socialsecuritynumber: xxx885013 telephoneNumber: 4104553933 Umbcbuckley: 00 Umbcdatasource: SIS Umbcdatasource: HR Umbcdatecurrenttitle: 20000326050000Z Umbcdepartment: Office of Informaiton Technology Umbchiredate: 19980126050000Z Umbclasttermelig: 199509 Umbclasttermreg: 199509 Umbcnameconfidential: 00 Umbcofficebuilding: Engineering/Computer Science Umbcterminationcode: N Umbctitle: Technical Coordinator

UMBC’s Person Database Represent all needed HR & SIS information in an LDAP Database (near) Real-Time synchronization Entries are Eternal Unique Non-Reusable

Our Identifier Must be “Universally Unique” Using the DCE UUID Guaranteed unique over all time and space Not particularly for human consumption

Structure - Hierarchical Location in the tree conveys meaning Ideal for corporate environments Difficult for Universities

Structure - Flat No meaning is conveyed by position, but by Group Membership, or Information in entry Person’s position remains static, while position in the organization can be fluid

UMBC’s Schema Keep in mind Internet2 Middleware Standards, it’s all about “interoperation” Unfortunately, standards are not complete Eduperson http://www.educause.edu/eduperson

Implementation Made up of three main elements LDAP Server Software Hardware Glue

Implementation - Software Chose Netscape Directory Server Mature product Considered the best, but not cheap Handles the Load Our Person Database has ~300,000 entries Other Alternatives OpenLDAP Innosoft NDS … many more

Hardware Master Server Slave Servers (2) Sun Enterprise 220R, 2G RAM (yes, it uses it) 2x 440mhz processors Slave Servers (2) Sun NetraT1 512M RAM (would love to have more) 1x 440mhz processor

Glue Changes to Oracle SIS & HR tables cause entries to be made in a changelog table Perl script Scans the log table, and makes the appropriate changes Web Based utilities for editing & adding entries

Future Directions Campus MetaDirectory Driving Other Applications Synchronize the data sources we are synchronizing with Driving Other Applications Card Key Access Control Single Application Interface

UMBC’s Account Management First application to make use of the LDAP Person Directory It, itself, keeps most of it’s data in LDAP

Account Management - Goals Utilize the Person Database for account authorization information Web-Enabled, for Self Service Account Creation Password Changing Near-Real-Time Creation Manage both Krb5 & AFS metadata Populate User’s account w/ default files Manage the @umbc.edu Email Address Space Utilize RFC2307 Compliant Schema

Account Management - Bitses WebAdmin Interfaces Kerberos & AFS Manager (accountqd) LDAP Based Mail Redirector NIS Map Generator

WebAdmin Interfaces Allows both self-service & Administrator level Account Creation Account Activation Account Editing Kerberos 5 Password Changes … other administrative tasks

accountqd Perl Daemon Periodically (every 5 minutes), checks for account entries that need processing Creates Kerberos 5 Instance AFS ‘pts’ database entry AFS Volume Populates AFS volume with default files

LDAP Based Mail Redirector Part of Sendmail 8.11 Also in previous versions, but less mature Listed as other Alias maps One map keys on “mailacceptinggeneralid” in ou=People,o=umbc.edu – returns the maildrop entry(s) that are associated with the matching dn. Other keys on “uid” in ou=Accounts,o=umbc.edu – returns the maildrop entries(s). Much quicker than the old “phquery” mailer 

NIS Map Updater Perl Script Runs every 15 minutes on NIS master servers Generates NIS maps based on information in the ou=Accounts tree Will be replaced…

Future Stuff WebAdmin interface isn’t complete Alias Management Account Deletion (yay!) … however, first few weeks of a semester are kind of busy  OS’s that support it (Solaris, IRIX, etc) can query LDAP directly (the RFC2307 Schema thing)

Places to Visit Internet2 – http://www.internet2.edu WebAdmin – http://webadmin.umbc.edu/ LDAPworld – http://www/innosoft.com/ldapword ModPerl (all of our interfaces are written in it) – http://perl.apache.org UMBC’s UCE Home – http://www.gl.umbc.edu If we post any of our code, this is where you’ll find it.